Hi,
My company doesn't allow any kind of connection to outside. The only
way you can have access to the internet is thru the company's HTTP
proxy. Other traffic (DNS included) is prohibited.
I have learned that you can access ssh server via http proxy. But when
I set it up in PUTTY (under Connection -> Proxy tab) looks like the
HTTP proxy detects I am trying to connect to SSH server. Thus it throws
service not allowed exception (error 403).
But if I try to change the port # of ssh server setting for PUTTY from
22 to 80 it throws this exception:
503: service unavailable.

So I wonder if I change my SSH server port to 8080 for example, will it
work for me?

Thanks guys

Doug wrote:
> Hi,
> My company doesn't allow any kind of connection to outside. The only
> way you can have access to the internet is thru the company's HTTP
> proxy. Other traffic (DNS included) is prohibited.
> I have learned that you can access ssh server via http proxy. But when
> I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> service not allowed exception (error 403).
> But if I try to change the port # of ssh server setting for PUTTY from
> 22 to 80 it throws this exception:
> 503: service unavailable.
>
> So I wonder if I change my SSH server port to 8080 for example, will it
> work for me?
>
> Thanks guys
>

In order to access the web from work, do you have to enter the proxy
server's info into your browser's configuration? If not you may be
hitting a firewall restriction and not a proxy server issue at all. If
this is the case you just need to run your ssh server on a port that is
not blocked by the firewall and configure putty to connect to it
directly on that non-standard port. A few that would likely work are 80
(http), 443 (https), 8080-8089 (typical proxy server port #'s).

Thanks for your response.
yes, I do have to enter the proxy hostname and port in my browser.
As i indicated earlier, no traffic is allowed except traffic go thru
the proxy (after filtering and inspect I guess)

Thanks

Chuck wrote:
> Doug wrote:
> > Hi,
> > My company doesn't allow any kind of connection to outside. The only
> > way you can have access to the internet is thru the company's HTTP
> > proxy. Other traffic (DNS included) is prohibited.
> > I have learned that you can access ssh server via http proxy. But when
> > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> > service not allowed exception (error 403).
> > But if I try to change the port # of ssh server setting for PUTTY from
> > 22 to 80 it throws this exception:
> > 503: service unavailable.
> >
> > So I wonder if I change my SSH server port to 8080 for example, will it
> > work for me?
> >
> > Thanks guys
> >
>
> In order to access the web from work, do you have to enter the proxy
> server's info into your browser's configuration? If not you may be
> hitting a firewall restriction and not a proxy server issue at all. If
> this is the case you just need to run your ssh server on a port that is
> not blocked by the firewall and configure putty to connect to it
> directly on that non-standard port. A few that would likely work are 80
> (http), 443 (https), 8080-8089 (typical proxy server port #'s).

"Doug" <dmly.usa@gmail.com> writes:

> Hi,
> My company doesn't allow any kind of connection to outside. The only
> way you can have access to the internet is thru the company's HTTP
> proxy. Other traffic (DNS included) is prohibited.
> I have learned that you can access ssh server via http proxy. But when
> I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> service not allowed exception (error 403).
> But if I try to change the port # of ssh server setting for PUTTY from
> 22 to 80 it throws this exception:
> 503: service unavailable.
>
> So I wonder if I change my SSH server port to 8080 for example, will it
> work for me?

If you change your SSH server to listen on 443 you'll probably be
golden.


--
Todd H.
http://www.toddh.net/

Todd H. wrote:
> "Doug" <dmly.usa@gmail.com> writes:
>
> If you change your SSH server to listen on 443 you'll probably be
> golden.


most likely it will not.... or at least, this just half of the job.

An http-proxy can be made to just pass the packets to another machine
with the "connect"-method. (just telnet to your http-proxy port and
enter "connect rem.ote.mach.ine port")

In a lot of setup (including my own) the connect-method is only allowed
to port 443, so your ssh-server should listen on that port.

But you still need a software which connects to the http-proxy and
tells it to pass this connection along using the connect-method.

There's one: http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html
I use it for exactly this job under Linux. connect.c can be compiled
for Windows too, but I don't know wheter you can make putty using this
connect-command. I have no Windows machine here to test this, but maybe
in 13 hours.

Cheers,
Armin

But that is you are using openSSH.
I understand that Putty already has HTTP proxy connect build in.
I hope my understading is correct.
doug

On Oct 16, 1:48 pm, "hasenhei" <hasen...@gmail.com> wrote:
> Todd H. wrote:
> > "Doug" <dmly....@gmail.com> writes:
>
> > If you change your SSH server to listen on 443 you'll probably be
> > golden.most likely it will not.... or at least, this just half of the job.
>
> An http-proxy can be made to just pass the packets to another machine
> with the "connect"-method. (just telnet to your http-proxy port and
> enter "connect rem.ote.mach.ine port")
>
> In a lot of setup (including my own) the connect-method is only allowed
> to port 443, so your ssh-server should listen on that port.
>
> But you still need a software which connects to the http-proxy and
> tells it to pass this connection along using the connect-method.
>
> There's one:http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html
> I use it for exactly this job under Linux. connect.c can be compiled
> for Windows too, but I don't know wheter you can make putty using this
> connect-command. I have no Windows machine here to test this, but maybe
> in 13 hours.
>
> Cheers,
> Armin

Doug wrote:
> But that is you are using openSSH.
> I understand that Putty already has HTTP proxy connect build in.
> I hope my understading is correct.

Doug, your understanding is absolutely correct :-)

I just didn't know that putty has this functionality built-in. I just
tested configuring proxy in putty on a windows-machine now, and it
worked fine.

Doug wrote :

But when
> I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> service not allowed exception (error 403).

Right, this is what I meant when saying "In a lot of setup (including
my own) the connect-method is only allowed to port 443,".

The proxy-server of your company does not allow the connect-method to
port 22.

> But if I try to change the port # of ssh server setting for PUTTY from
> 22 to 80 it throws this exception:
> 503: service unavailable.

Yes, because there's no ssh-server (not even anything at all)
responding on port 80 on the machine you try to connect to.

I think the solution to your problem was already given by Todd H. in
his previous message.

You should configure your ssh-server to listen on port 443 (maybe 80
would do too here, but 443 is better).
Of course you need to tell putty to connect to port 443 then. I just
tested this here, and it worked fine.

Cheers,
Armin

PS: Be careful with firewall-piercing if your work-contract does not
allow such habits.
Of course this ssh-connection shows up in the proxy-log.

Just an update.
I did what what Todd told and it is working fine.
Thanks Todd, you the man
hasenhei wrote:
> Doug wrote:
> > But that is you are using openSSH.
> > I understand that Putty already has HTTP proxy connect build in.
> > I hope my understading is correct.
>
> Doug, your understanding is absolutely correct :-)
>
> I just didn't know that putty has this functionality built-in. I just
> tested configuring proxy in putty on a windows-machine now, and it
> worked fine.
>
> Doug wrote :
>
> But when
> > I set it up in PUTTY (under Connection -> Proxy tab) looks like the
> > HTTP proxy detects I am trying to connect to SSH server. Thus it throws
> > service not allowed exception (error 403).
>
> Right, this is what I meant when saying "In a lot of setup (including
> my own) the connect-method is only allowed to port 443,".
>
> The proxy-server of your company does not allow the connect-method to
> port 22.
>
> > But if I try to change the port # of ssh server setting for PUTTY from
> > 22 to 80 it throws this exception:
> > 503: service unavailable.
>
> Yes, because there's no ssh-server (not even anything at all)
> responding on port 80 on the machine you try to connect to.
>
> I think the solution to your problem was already given by Todd H. in
> his previous message.
>
> You should configure your ssh-server to listen on port 443 (maybe 80
> would do too here, but 443 is better).
> Of course you need to tell putty to connect to port 443 then. I just
> tested this here, and it worked fine.
>
> Cheers,
> Armin
>
> PS: Be careful with firewall-piercing if your work-contract does not
> allow such habits.
> Of course this ssh-connection shows up in the proxy-log.

"Doug" <dmly.usa@gmail.com> writes:

> Just an update.
> I did what what Todd told and it is working fine.
> Thanks Todd, you the man

Woot! Glad to .

So setting up the server to listen on 443 let you get out to it just
fine?


--
Todd H.
http://www.toddh.net/

Yes,
Apparently setting up sshd listening on 443 or 8080 would be fine. I
set it up at 8080 by the way.
Thanks man

Todd H. wrote:
> "Doug" <dmly.usa@gmail.com> writes:
>
> > Just an update.
> > I did what what Todd told and it is working fine.
> > Thanks Todd, you the man
>
> Woot! Glad to .
>
> So setting up the server to listen on 443 let you get out to it just
> fine?
>
>
> --
> Todd H.
> http://www.toddh.net/

On Mon, 23 Oct 2006 14:59:19 -0700, Doug wrote:
> Apparently setting up sshd listening on 443 or 8080 would be fine.

I have always set my home ssh server on port 443 for this reason and it
has worked for me. Does anybody know whether this will always work in
all environments? Or are there "deep inspection" corporate firewalls
that can discern the ssh content (the setup at least) and block it (but
still pass normal https)?

Mark <markbpan@mailinator.com> wrote:
> On Mon, 23 Oct 2006 14:59:19 -0700, Doug wrote:
>> Apparently setting up sshd listening on 443 or 8080 would be fine.

> I have always set my home ssh server on port 443 for this reason and it
> has worked for me. Does anybody know whether this will always work in
> all environments? Or are there "deep inspection" corporate firewalls
> that can discern the ssh content (the setup at least) and block it (but
> still pass normal https)?

I don't know about 'discern the ssh content', but you could use a web
proxy instead of a normal firewall. Such a device could participate in
the HTTPS connection, which the ssh client would not conduct. That
would prevent basic use of the port. You could still tunnel traffic,
but it would have to be done within an HTTPS transport rather than
directly via TCP/443.

The first hit for me on google turned up this page:
http://dag.wieers.com/howto/ssh-http-tunneling/

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

Mark <markbpan@mailinator.com> wrote:
> I have always set my home ssh server on port 443 for this reason and it
> has worked for me. Does anybody know whether this will always work in
> all environments? Or are there "deep inspection" corporate firewalls
> that can discern the ssh content (the setup at least) and block it (but
> still pass normal https)?

One simple thing a firewall can do which hardly touches HTTPS but
frustrates _most_ of the useful things you can do with SSH is to set
a very short maximum lifetime on any connection. No need to even try
to figure out the nature of the data being passed.

I haven't heard of anyone deliberately doing this to annoy SSH
users, but I do know I've heard of firewalls doing this _by
accident_ and only SSH users noticing...
--
Simon Tatham These are my opinions. There are many
<anakin@pobox.com> like them but these ones are mine.

Well, in Putty I set the param "keep Alive" to 26 secs. So Putty
constantly keeps the connection alive for every 26secs.
I believe firewall only closes the connection if it is inactive for 30
or 50 seconds.

Regards

On Oct 24, 1:51 am, Simon Tatham <ana...@pobox.com> wrote:
> Mark <markb...@mailinator.com> wrote:
> > I have always set my home ssh server on port 443 for this reason and it
> > has worked for me. Does anybody know whether this will always work in
> > all environments? Or are there "deep inspection" corporate firewalls
> > that can discern the ssh content (the setup at least) and block it (but
> > still pass normal https)?One simple thing a firewall can do which hardly touches HTTPS but
> frustrates _most_ of the useful things you can do with SSH is to set
> a very short maximum lifetime on any connection. No need to even try
> to figure out the nature of the data being passed.
>
> I haven't heard of anyone deliberately doing this to annoy SSH
> users, but I do know I've heard of firewalls doing this _by
> accident_ and only SSH users noticing...
> --
> Simon Tatham These are my opinions. There are many
> <ana...@pobox.com> like them but these ones are mine.

On 2006-10-23, Mark <markbpan@mailinator.com> wrote:
> On Mon, 23 Oct 2006 14:59:19 -0700, Doug wrote:
>> Apparently setting up sshd listening on 443 or 8080 would be fine.
>
> I have always set my home ssh server on port 443 for this reason and it
> has worked for me. Does anybody know whether this will always work in
> all environments? Or are there "deep inspection" corporate firewalls
> that can discern the ssh content (the setup at least) and block it (but
> still pass normal https)?

The could trivially (SSH connections always start with the the "SSH-"
identifier) although I'm not aware of any product that actully does this.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.